Best Practices for Password Management

Data Privacy Day is approaching, and as part of our awareness campaign, we wanted to review some of the best practices for safe password selection and management. It is surprising but true that even in today’s security-conscious environment, the word “password” and the sequence “123456” remain some of the most common passwords!

To promote online safety and privacy, we have developed a set of basic premises and guidelines to take into account when selecting a password. Different services may have different requirements, but we always recommend choosing a unique password that is as strong as possible, whether it is for a social media account, e-mail address, or network login.

DO

Select passwords that include a combination of upper and lowercase alphabetic characters, symbols, and numbers.

Rotate your passwords regularly. We recommend changing passwords every sixty days, but rotating them every six months will put you way ahead of most others.

Develop a difficult-to-guess but easy-to-remember password that incorporates memory devices.

DO NOT

Use all or part of your name in your password.

Use a password of all numbers or a single, repeated letter.

Use a word contained in any dictionary.

Use a password with a length under six characters.

Reuse or recycle passwords.

One of the best defenses to password attacks is to select an appropriate length. If an attacker is working to gain access and the dictionary attack method has failed (where words from a dictionary are automatically attempted), a brute force attack will likely be the next step. Brute forces attacks involve cycling through all possible password combinations until the correct one is found. For this reason, the longer the password, the longer it will take a cracking algorithm to successfully guess your password.

But even if we follow all the recommended guidelines and best practices (i.e. selecting an unpredictable password with a length greater than 6 characters and a combination of upper and lowercase letters, numbers, and symbols) we are still missing a premise: a password should be easy to remember.

Writing down your password is highly discouraged, and something like “B!zg!e9!0!” is not going to be easily remembered. One solution to this issue might be to turn a sentence into a password, also called a “pass phrase”. For example the sentence “I like to golf on Friday” might become “iL2g0fr!dA”. It’s certainly a complex password, and it is one that can be remembered.

Data security isn’t just something we focus on once a year – it’s something that we need to keep in mind every day. To learn more about selecting a high-strength password, including our full list of best practices, view our blog post here: Celebrating Data Privacy Day 2013.